Make ‘create group with update capabilities’ a non-admin privilege

01-08-2021 12:50 PM
Status: Open
New Contributor III

Currently, creating groups with update capabilities is an administrative privilege that can be assigned to a custom role. We’ve enabled our entire university community (6000+ users) to have this privilege in order to facilitate collaborative editing of StoryMaps, Web Apps, Web Maps, etc., which is a common need in class assignments and research projects (see collaboration models for ArcGIS Online). Assigning this privilege to a custom role which we automatically grant to new users relieves us of the administrative burden of creating groups for everyone that would like to collaborate on content. 

There is, however, an unfortunate side effect of this being an administrative privilege. When connecting to the GIS in ArcGIS Notebooks, every user now gets a warning stating they are signed in with an administrator role, and to proceed with caution:

Screen Shot 2021-01-08 at 3.42.11 PM.png

This is misleading and causes confusion, as our users do not have the administrator role assigned to them. Given that users without this ‘create group with update capabilities’ can be members of shared update groups, and edit content therein, I’m not sure what distinguishes this as an administrative privilege. 

I’m proposing that ‘create a group with update capabilities’ be made a non-administrative privilege in order to more easily facilitate collaboration amongst users.


I am confused. You wrote that you enabled 6000+ people to have administrator privilege's so they can create groups, but then you wrote the warning is misleading because they do not have administrator role. 

Aren't you worried about that manty people being able to make changes to your GIS


Hi @RobertBorchert,

There is a difference between a role and a privilege -- our users do not have the default administrative role assigned to them (giving them full administrative control from the entire suite of administrative privileges), simply this one privilege, which allows users to create their own Shared Update groups. Our users do not have any control over anyone else's content or the organization as a whole. 


They can  be Creator - Publishers and create Groups


By giving any administrative privilege you also give them all rights to any service on a federated arcgis server.  They can delete or edit any service.  This is also an unfortunate side effect.   I agree this makes things very difficult.  It also is misleading.  The fine grained permissions listed on portal do not correlate with the outdated security on the servers.  I agree ESRI needs to get this fixed.


@RobertBorchert Yes, you can create regular groups with the publisher role, but not shared update groups.  One way in which shared update groups function differently than regular groups is that members of the group may edit the same map or app, without having to save their own copy.

'Create group with update capabilities' is the privilege that allows a user to create shared update groups, and this is what i'm asking to be made a non-admin privilege. 


As the admin for our organization I support this idea. Another problem with adding it or any other "admin" privilege to a custom role is that the role cannot then be selected when a new account is created, and it cannot be used as a default role.


I support:  that ‘create a group with update capabilities’ be made a non-administrative privilege in order to more easily facilitate collaboration amongst users.

Our University struggles with the same thing. We would like this function to be part of the new member defaults, however because it is listed as a admin privilege, we cannot automatically assign this to users to enable them to "create group with update capabilities." 

Our current work around is to have all members assigned a default role and then we transition them to a role that is not assigned as a new member default. 

We haven't encountered the Notebook issue, but users are still ramping up on using those. Given the warning you are getting @Caitlin_Dickinson, that would confuse our users as well.


I have run into this same problem. I created a custom role that I made virtually identical to the default publisher role and I added the 'create group with update capabilities' privilege. I wanted our publishers to be able to create groups so they could collaborate more easily with their users. However, I do not want publishers to be administrators. When a publisher is assigned this custom role with this 1 admin privilege they then have the ability to see every service in our entire Enterprise organization, even if it hasn't been shared with them.

by Anonymous User

This is a needed enhancement in both AGOL and ArcGIS Enterprise.  The Admin privileges in general need an overhaul along with the inflexible server security.



Once you take this approach to use "create group with update capabilities" to enable more people to easily collaborate, i.e. use a custom role with this 1 admin privilege,  those users should NOT see every service in their entire organization. 

They should only be able to see the services that have been shared with them explicitly, or that have been shared with organization or public.

If your users with this capability are indeed seeing this behavior (all services), please place an Esri Tech Support call.